What to do if there's a cyber security incident at your school or kura

Steps to take if you think your school/kura has experienced a cyber security incident, or you've been locked out of your network or computer systems.

If you've had a cyber security incident

Your school's network or systems may have been hacked if:

  • you've been locked out of your network, computers, or software programs
  • money has been taken from your accounts without your knowledge
  • your email is used to target other schools
  • you see suspicious activity in your logs
  • you've been notified by an organisation like the Police, CERT NZ or the media that you've been hacked.

Steps to take

It can be hard to tell if your systems have been breached. That’s because any intruders are often doing it as quietly as possible to give themselves time to see if there’s anything they can gain.

1. Confirm it’s a cyber security incident

In some cases, like if you’re locked out of your systems, it will be obvious that a cyber security incident is occurring. In other cases, it may not be so clear, you may need technical support to help you understand if an incident has happened.

You may have a full-time IT staff member at your school/kura, otherwise it’s a good idea to have an ongoing relationship with an IT provider who you can call on for support. If you don’t have one, ask your local school or kura who they use and their experiences.

2. Understand the scope of the incident

Once you think there’s been a system compromise, you need to figure out how widespread it is. Your response will be different if the intruders only have access to one piece of software, or if they have full access to your school’s network. You need to identify how big it is and then contain it to make sure the intruders don’t spread any further.

If you suspect there is an attacker inside your system, don't log into any new systems, such as online banking – this could give the attacker further access.

You may need help identifying which systems are affected. If you have cyber insurance, it’s a great time to call them – they will provide help via an incident response company who will do the forensic investigation on your behalf.

Cyber insurance is included at no extra cost in the Ministry’s Risk Management Scheme

Risk Management Scheme

3. Contain the incident

Once you know which systems are involved in the incident, you need to contain it to make sure it doesn’t spread further. This may mean disconnecting infected devices or servers from the network or shutting down systems to prevent it spreading. Your technical team will advise what’s best for your situation.

The cyber incident response team will want to look at your logs – this is where the system keeps a record of the actions taken in the system. The incident response team will look carefully at these for suspicious activity. This will help identify how the intruders got in and where they are.

Audit logs - Microsoft(external link)

Security investigation tool - Google(external link)

N4L provides managed network services to most of the schools and kura in New Zealand. They can provide network logs if needed.

Contact N4L(external link)

If systems containing personal information have been accessed, such as student achievement, personal enrolment, or medical information, this is considered a privacy breach. You must report it to the Office of the Privacy Commissioner.

Report to the Office of the Privacy Commissioner(external link)

If the incident is serious or widespread, let us know. We can provide you with communications advice and other support material.

Email: cyber.security@education.govt.nz

4. Close the incident

You may need a specialist (like a cyber incident response team) to investigate how the intruder got in and to make sure they have gone. They will also provide recommendations on how to secure your network to ensure they can't get in again.

It’s a good idea to do a post-incident review. Once your systems are back on track, have a meeting with everyone involved and talk about what went well and what could have been improved. Update any incident response plans or processes to include anything your learned.

Once the incident is resolved there will be actions to take to make sure it doesn’t happen again, for example:

  • change all passwords in the systems the attacker was in
  • turn on 2FA on your accounts, if you haven't done it already
  • you may want to make a printout of your IT provider's contact details to keep handy for future reference.

Last reviewed: Has this been useful? Give us your feedback